Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!



Omand Warns of "Ethically Worse" Spying If Unbreakable Encryption Is Allowed

IBitOBear So back to the old way when the laws worked (385 comments)

The bulk of the laws involving surveillance pivoted on this "Close" work. It was hard to do, and it required some motive to be "worth the effort". So in the old days where you needed to intercept physical mail or actually enter a property to spy, the laws were in balance.

Of late the state has had a free ride, with the information being pumped into it at central stations and spycraft was just a click away. And the state has gotten fat and lazy, and with the decreased minimum effort the spying has become free. And the state, fat and happy, likes it that way.

But strong encryption would put the state back into the footrace. It would require the same work and effort as the old days. Boo farking hoo. It was _supposed_ to be hard to spy. The entire Big Brother 1984 idea was about the destructiveness of surveillance made too easy to bother being selective. The "just watch everybody" economy of effort leads to gluttony and abuse. We kwow that.

So Omand's "warning" is that of the plaintive child. But mom, then I'll have to _try_ and I want my participation trophy!

So Omand has made the case for why strong encryption should be universal so that the state cannot engage in universal surveillance.


Obama Administration Says the World's Servers Are Ours

IBitOBear Re:You have this backwards. (749 comments)

Interesting distinctions. Does Microsoft own the servers directly, or through a subsidiary? Is Microsoft a direct participant in the action or just a third party?

If Microsoft is just a third party then their case is very strong.

about 6 months ago

Obama Administration Says the World's Servers Are Ours

IBitOBear If it's a "subsidiary" it's within reach. (749 comments)

If it was a Mexican _partner_ you'd be right. If it's a Mexican _subsidiary_ you are wrong.

A "subsidiary" is an owned asset. If you own an asset and it was in Brunei and you are here before the court, the court can order you to surrender that asset because you onw it and you are subject to the law where you are.

I don't have to subpoena you in Brunei if I've got you here.

Your only defense is if Mexican law makes it _illegal_ for you to move or copy the asset. In that case you'd have the "the court cannot require me to break the law" defense, which is not the same as the "it's far away" defense Microsoft is attempting.

For instance, lets say Fidelity (a french company) was required, in French court, to produce my financial records for the purpose of auditing Fidelity for alleged misconduct. And let's say Fidelity didn't want to do so. They could resist the production order under various U.S. laws such as HIPPA if my records incidentally contained medical information.

Likewise, if the E.U. privacy regulations covered some or all of these documents then Microsoft _could_ _have_ argued _that_ against the production order. Same for things like Attourney Client Privilege and any number of other things. I work for a company in the U.S. that is a wholly owned subsidiary of a brittish company. But the brittish crown and court cannot successfully supponea any of our non finincial documents because we do defense work and so U.S. law would prevent the export of that material. But the money stuff is fair game.

So too for paper documents. The "that would be illegal" defense cuts very fine. If the documents were in Afghanistan, and printed on pure marijuana leaf, then you could argue against shipping the original documents here because marijuana is illegal here. But the court could then require you to photocopy or fax the documents here on a more legal paper.

Now people have been talking "warrant" vs "subpoena" and I don't actually know for sure which thing is happening. A demand for surrender (subpoena) is different than a warrant to enter and search. This sounds like a subpoena not a warrant, as a warrant woudln't be served to Microsoft here, it would be processed by the foreign government and would be served _there_ by local law enforcement.

Given all that, "the old paper courts" are no different than the current paper courts. The "on a computer" bit is immaterial.

If Microsoft controls the documents personally, or through an agent, and a "subsidiary" is a kind of agent with lots of legal precident, the documents are fair game unless an actual law in the other jurisdiction says they are not. Paper or not.

The question is one of control not format of storage.

about 6 months ago

Obama Administration Says the World's Servers Are Ours

IBitOBear Re:You have this backwards. (749 comments)

If I used a Saudi document escrow or storage service to store my documents, and they stored them in Botswana, there would be at least three jursidictions with the ability to subpoena those documents. Botswana, Saudi Arabia, and Wherever I live (so State of Washington, and U.S.A. federal jurisdictions).

It was _my_ choice to involve the Saudis and they were acting as my agent when they involved Botswana.

Sucks to be me if my documents are not actionable here but against the law there. I got those places involved in my business by doing business with them. That's the nature of actual, personal responsibility.

Really read this sentence: "In essence, President Barack Obama's administration claims that any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas."

This is a core tenant of law. It is the same legal principle that says the U.S. can prevent and punish a U.S. company from shipping heroin and sex slaves from Afghanistan to Brunei because they _are_ a U.S. company. It's also the same reason that a Brunei court can go after the same company.

If I go to mexico I am bound by Mexican _and_ U.S. Law. You can substitute any countries for any countries in this scenario.

This is also why I am mostly untouchable in Utah and Montana since I've never been in Utah, and I drove through Montana once. But that could change if I started a partnership with someone who lived in Utah. That relationship between them and I could bring many of my details under the jurisdiction of the Utah court.

You step in a river, you get water on you. You splash around in business in a particular country, the law of that country will stick.

Microsoft does business here. The dispute is a dispute here. That Microsoft stores the relevant material there, by accident of fate or by purpose of design, doesn't insulate that material from this court.

Where is the dispute, who created the material, and where are they, and where were they when they made the material. These are not very advanced questions.

It's more or less the same reason that a U.S. court can prosecute a U.S. citizen for "sex toruism" if they do the under-aged nasty in a land where that's supposedly okay, because they did it under the tacit protection of the U.S. because they could call their council and embassy via their citizenship and passport etc.

It's very, very hard to wash off a jurisdiction. One of the reasons the Swiss were so useful for so long is that they just wouldn't say what they were holding. Other jurisdictions could hold you responsible for what they could prove you "must have", but they couldn't ever get the swiss to _be_ that proof because they would simply remain silent.

There is no dispute that Microsoft has these documents. There is no dispute that Microsoft is a U.S. company. There is no dispute that the dispute is taking place in the U.S. So Microsoft's claim is _almost_ pro forma. They don't _want_ to cough up the stuff, but they likely have no belief that this defense will work.

Part of what Microsoft sells here is "if they mess with your bull they'll get _our_ horns, so trust us with your stuff". The very fact of the defense, despite its absurdity, is a feather in their cap.

But eventually the documents will be produced.

about 6 months ago

Obama Administration Says the World's Servers Are Ours

IBitOBear You have this backwards. (749 comments)

Microsoft is trying the "you can't hold me responsible for yesterday's shooting because the gun is in my other pants" defense.

The law has _always_ held that if you are before the court, everything relevant to the case is before the court.

If this were not the case then the Tobacco and Asbestos companies could have just said "all those meeting minutes and research records are stored in our warehouse in mexico so ha ha, you all lose." Any company or person, on any issue, could just mail the evidence out of state or out of country and get off scott free.

That just never happened.

Just because the evidence is "on a computer" instead of "printed on paper" doesn't make the "other pants" defense viable.

The court is not reaching across a border. Microsoft is _here_. Microsoft does business _here_. The complaint is _here_, and the court is _here_. The proper legal response to "the other pants" gambit is to tell the guy in his shorts to send someone to go get whatever it is from those pants and bring it back.

Criminals don't just "move" their assets to other countries, they "hide" them because if it can be found it's on the table.

Every court. Every country. Every topic. From the beginning of time.

This is no different.

about 6 months ago

Obama Administration Says the World's Servers Are Ours

IBitOBear No so much actually. (749 comments)

This isn't a case of the U.S. reaching across a border. Microsoft is _here_. Microsoft is doing business _here_. The court _here_ is ordering microsoft _here_ do produce documents _here_. Microsoft's claims that the docuements are "in their other pants" (e.g. on a server in Ireland) is immaterial because microsoft is _here_ and _microsoft_ owns those documents.

Now _if_ this were a case where a U.S. Court was ordering a company that was not _here_, say an Irish company that was _there_ in Ierland called Irish Pizza Delivery Co. to cough up emails even though they don't do any business here... that would be a huge over-step. That over-step is because they are _there_, or more correctly _not_ _here_, and the court is _here_.

This is _exactly_ the same reason that the U.S. Tobacco companies and Asbestos companies could not dodge legal responsibility by just shipping their money and internal paperwork to south america as soon as people started coughing.

about 6 months ago

One In Ten Americans Thinks HTML Is a Type of Sexually Transmitted Infection

IBitOBear Or are bitter and jaded (255 comments)

I know that when I am being data mined I am very likely to pick the funny or ironic answer to any poll. The less intelligent the dumbest option is, the more likely I am to select it. My data is valuable and if you aren't gong to pay a fair price, and you intend to use it to subvert my happiness, I am not likely to go quietly to the slaugter.

I remember some movie where a guy lands in a Gulag and is being forced to make mitten liners. He learns from one of the other guys to sew them shut across the fingers and then hide the sabatoged ones by slipping them into the "already inspected" pile. It is sabatoge and it's faster than making the proper stitch so it's easier to meet the quota.

Lots of people maliciously answer polls and such, or so I suspect, which is why they are such a terrible instrument of governance and polity.

And P.S. if you don't limit people to thinking about tech, well there are _many_ blue species of sting and mant rays, so contextually they might have a point on answering some of those questions. Its that whole ability to read past typos that humans are so gifted with.

So conclusion? Polls suck, they suck slightly more than the pollsters conducting them, um-kay?

about a year ago

One In Ten Americans Thinks HTML Is a Type of Sexually Transmitted Infection

IBitOBear HTML is an accessory fruit. (255 comments)

The sad truth is that HTML is just an accessory fruit for delivering other seeds of ideas, good and bad. Most of those ideas are capable of hosting infections, particularly DRM, computer viruses, and the kind of porn you wish you could unsee.

about a year ago

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

IBitOBear The case _for_ goto (231 comments)

The linux kernel is full of gotos. Assembly is bereft blocks and that sort of structure. So "goto" isn't the source of all evil.

Consier this example of the linux goto paradigm below. When taking locks and establsihing component preconditions you can write an optimal routine that does the stepwise creation, and includes the non-conditional cleanup. Then skipping the cleanup if all the parts succede. The example below is trivial, but when it comes to preserving locking orders it solves a hard problem very simply. And if you check out the generated code its very efficent. More so if you hint the compiler that the success case is most likely for each conditional.

So take the simple example and imagine you are building something complex like a network request with data and metadata buffers and the actual request structure itself et al... as the number of parts grow the number of bizarre else conditions you have to use to do stepwise cleanup become bothersome repetitions of code. Its even worse if it's part1 _or_ part2 along with part3 etc. Complexity and repetition of phrases in the elses is plenty of reason to use goto.

complex_thing * hard_thing() {
complex_thing * retval = 0;
thing_pt1 * pt1 = 0;
thing_pt2 * pt2 = 0;
if (pt1 = generate_first()) {
    if (pt2 = generate_last(pt1)) {
        if (retval = generate_final(pt1,pt2)) {
            goto success;
if (pt2) cleanup_last(pt2);
if (pt1) cleanup_first(pt1);
return retval;

Simply put, there are times when a well-placed goto with a clear purpose and precondition can simplify code and accelerate execution.

Do I use a lot of gotos? no. Probably six C/C++ gotos in the last fifteen years. But when they are the correct tool to use, they can be magical.

about a year ago

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

IBitOBear Writing safety-aware code _somewhere_ (231 comments)

Since all machine code is potentially brittle, the argument for using "safety aware languages" is itself brittle. For instance, Ada is safe because it doesn't allow deallocation unless you use ada.unchecked_deallocation(), or in the alternate, build nothing on the heap, or just hope that the Ada implementation has garbage collection, or..., or... etc.

_Someone_ has to do the work to protect whatever the brittleness is at issue.

For years I have used "struct Buffer { char * start, char * end};" instead of just char * string. (thing.end-thing.begin) is faster than strlen() and the constraints are always present. I've got a library full of simple bits that make this work (a wrapper around write(2) and read(2) for example).

Bad code can be written in any language. Java is safe? Well kind of, until you start making circles of referencds and losing them. sounds harmless unles there is a task and open socket in that circular reference and you've left a link back to some structure so that the socket is now able to access some nonsense.

The best tools in the worst hands are far worse than the worst tools in the best hands. Yelling for tools is a specious argument. Someone has to do the work, and that someone may well bone the job.

about a year ago

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

IBitOBear I propose "Snowden" become a active tense op (231 comments)

(v) Adding a bit of code, hardware, or operation you know you shoudln't because an authority requires you do so.
"Hey honey, I'll be late for dinner, I have to snowden the latest release of firefox."

(n) the sneaky bit of intrusive technology
"Hey what's this bit?" "Shhh, that's the snowden."

I know he was the wistleblower, but we should enshrine his deed and the knowledge that this is happening using his name in memoriam.

about a year ago

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

IBitOBear Definition of "Enough" and "fase dichotomy" (231 comments)

ASIDE: Your point is mute [look up "moot" before attempting correction. 8-) ]. Enough is enough, and any less is not enough. That's the definition of enough.

Consider: "If you eat enough pudding you'll die"... the only test case is to keep eating pudding till you die. If you stop before you die you didn't eat enough. 8-)

Now the point that all eyeballs are not equal is fine and obvious. It only takes one metaphorical eyeball, connected to the correct brain, to find a bug. So one is enough if the rest of the configuration is suitable, and an infinite number are not enough if they lack the context.

The real difference between FOSS and others is not the quality of the eyeballs but the opportunity for the correctly quipped eyeball to fall on the relevant bit. In closed source applications the right post-eyeball configuration would have to first be part of the set of allowed eyeballs, and it would likely have to be actively paid to look for the bug directly or indirectly since the limited herd of eyeballs all have their assignments.

Pretending that the better solution (FOSS IMHO) is unworkable because it's demonstrably imperfect ignores the fact that the far less functional (NON FOSS IMHO) has a demonstrably worse track record. That comparason and derision is just "false dichotomy" and kind of an example of, perhaps, why you aren't the set of eyeballs in charge.

In non-FOSS circumstances virtually all eyeballs lack the context to find and fix problems because they lack access to the source.

So your argument fails because it implicitly argues against exposure, or argues that exposure isn't enough if the right people aren't looking. The failure isn't one of fact but of position. You offer no counter proposal. You are pissing on the model that exists but offering no alternative. In short you are engaged in venting of some sort but you are apparently not one of the set of eyeballs ready to offer solutions.

about a year ago

Rise of the Warrior Cop: How America's Police Forces Became Militarized

IBitOBear Didn't "run away" from europe... (835 comments)

Actually the "Prutian Sepratists" were kicked out of europe for advocating regicide (trying to get someone to kill the king). They were granted title to what is now Verginia but decided to stay where they made landfall instead (not very good sailors). And they didn't come for freedom of religion, they wanted to set up their very own Jonestown (Guyana). It's right there in their name "puritan sepratists".

We don't necessarily have a thing for fear. We have a thing for authoritarianism.

So dear Europe, the next time you decided to export all your religious wacos, don't sent them all to the same place... it weakens the gene-pool.

There just happens to be a high correlation between fear and republicanism, so they run on the more police, more prisons, and to do so the conservative media bias is deliberately miss-sold as a liberal one. It's a self-perpetuating cycle.

On top of that, criminals all want to be cops, but only the petty criminals can make it though the background check. The cirminals want a taste of the power that previously held them down. So you end up with a lot of well armed, otherwise petty criminals ganged up in one profession exercising their egos.

about a year and a half ago

Ask Slashdot: How To Deliver a Print Magazine Online, While Avoiding Piracy?

IBitOBear So ask nicely and don't be a dick. (298 comments)

Seriously, just ask your client base not to copy the mag, and maybe even do "pay what you want". It worked really well for The Humble Bundle.

If the product is good and you treat your customer base well, they will pay. IF you don't they wont.

The people who are going to copy it are not the people you want to care about as customers. Count them for ad revenue (like any other advertisement model, the reader is the product as far as the advertisers are concerned so copying is good from that angle.

You just need to find the sweet spot between universally free distribution (for high advert return) and enough direct sales for it's own sake.

And don't be a dick.

about a year and a half ago

What Medical Tests Should Teach Us About the NSA Surveillance Program

IBitOBear Sharpshooter Falacy (107 comments)

You know, when people talk about who was warned about what, they completely forget the sharpshooter falacy. Warn everyone about everyone, then when some one does some one thing you can say "you were warned" because, in the huge pile of everything-squared you can find that nedle in the nedle-stack.

Now all the people who pointed at the nedle demand a bigger nedle-stack full of smaller and smaller nedles.

More signal. But more noise. And more noise per each increment in signal.

And more blame to go around.

There was a song, it has a point. "You have to hold-on loosly but don't let go". There was a movie, and it has a point "the more you tighten your grip the more systems will slip through your fingers." It's like there are all these old aphorisms and they came about for having truth within them. The truth of moderation.

More isn't better, it likely never was.

about a year and a half ago

Electronics Arts CEO Ousted In Wake of SimCity Launch Disaster

IBitOBear Re:Schadenfreude (427 comments)

No you wouldn't want to jump from a plane with a solid gold parachute (it'd be too heavy). Golden is a different beast alltogether. A golden parachute could be made out of $20m of rarest silk with all the d-rings made from chocolate diamonds and a harness embroydered with hundreds of untraceable swiss bank account numbers.

In one of the Books of the Malazans series there was a town where, should you default on an obligation the holder of that obligation could decide to to make you swim across the local harbor with bearing the amount of your default strapped to your body in gold. It cost the owed party twice the amount (e.g. his cash out of pocket and the money he'd never get from you) but people were very unlikely to default on obligations. Plus the creditor coudl often make his money back on the side bets for how long it took you to drown... Now _that_ woudl be a system for exiting CEOs.

about 2 years ago

U.S. Reps Chu and Coble Start Intellectual Property Caucus

IBitOBear Be Serious (150 comments)

This "represetation of the artists" will be the DRM and studios... I get your point about the public domain, but who is going to represent the _actual_ artists and other creatives?

about 2 years ago

U.S. Reps Chu and Coble Start Intellectual Property Caucus

IBitOBear Re:And who will represent the people? (150 comments)

Stupider than that... grandparent says "GOP aka Republicans"... so not only does he not know what the GOP is, he was unable to read the whole post.

about 2 years ago

SSH Password Gropers Are Now Trying High Ports

IBitOBear more on point (349 comments)

since fail2ban would ban the entire NAT(ed) other office if one actor there were to fail-out from a host in that office, it suffers from the same "short coming" as my script in general, and if you know that some particular shop somewhere is behind a nat, why wouldn't you then white-list that address anyway? e.g. using fail2ban is a good way to let one noob at (remote office) lock out everyone at (remote office). Just because it _hasn't_ happened to you yet doesn't mean that you are ready for the case when it does.

That's a real wizzer of a solution there bob...

If you don't already have white-lists (and preferably VPNs) between known good sites you are just a denial-of-service or "I can't remember my password with this hangover" event away from the theoretical firing anyway.

Again, if you don't know how to apply your tools then all solutions that you don't already think are super-duper will seem suspect. Since you don't seem to know the weaknesses of your current solution, and you improperly apply your "wisdom" as analysis of _my_ solution, you are proved doubly wrong.

Cookbook fail to you, good sir...

(P.S. I know, and point out, that the good and bad attempts are counted in the limit. There are reasons. That those reasons don't apply to your case doesn't make _me_ wrong, it makes _you_ short-sighted for assuming that what doesn't work for your case can't possibly be correct for anyone. 8-)

about 2 years ago

SSH Password Gropers Are Now Trying High Ports

IBitOBear The reason(s) for this constructon (349 comments)

While I do use this at home, I also use it on a number of forward facing servers for business purposes (usually with different thresholds and numbers). I spend very little time at "my desk" so the ability to know that I will always have a computer with a pre-shared key available is quite limited. If I am, say, at a hangar at an airfield and I get an emergency call to check on a host, I can ssh to my own (unprivileged) account and elevate my privileges thereafter. So I, and my very few alternates, can respond from anywhere with no chance of leaking meaningful key material as one might if they tried to match up known/authorized keys (and USB sticks are verboten in many of the places I find myself).

In that usage pattern, if I ended up having to ssh in more than five times in a single hour then things are really not right. (and if I knew that sort of thing was going to happen I _could_ always tweak the rule, but I more often use the multi-session ControlPath etc options to side-step the 5-per-hour limit if larger maintenance comes to the front).

That is, I limit the connections pass-or-fail, because it matches the expected (sparse) use pattern and so also limits the ability of a compromised machine I might use as a source box from spanning into the target machine. For instance I can use a source host and then invalidate it by making a couple extra connections so if, say, I have to use an internet cafe (it's never happened, but it might) or hotel computer or whatever, I can keep a clever follower-on from using a key-logger or whatever, from just using the link agian. [granted he could use the information from a different computer etc and I have other means for dealing with that sort of thing (locking the access account after use until I can get somewhere secure and change the password; single-use passwords on some systems, etc), but in terms of a quick access and then block, this works well.]

Different access models require different tools. Being able to ssh in from just about anywhere has come up as useful. Having several useful ways of closing that door, or having it slammed shut perforce, after the valid use are also important levels in any paradigm.

Also, if you reuse the named recent table (e.g. "bad_actors" in this example) [or indeed a whole chain if it's not SSH specific if you replace "ACCEPT" with "RETURN"] in different rules you can easily catch a machine on its very first port-scan or on a single attempt to reach a service you know you don't offer (like SMB service) and drop it into the named table. This lets the co-variants of the one rule "gang up" on the bad actor from different parts of your rule set without invoking expensive external processes. For instance if you also --set an IP address as a bad_actor for sending you a SYN/FIN or a broadcast ping then that one host doesn't get to double or triple dip your security.

about 2 years ago



IBitOBear IBitOBear writes  |  about 8 years ago

IBitOBear writes "It seems that every web site these days wants me to provide answers to "security questions". Most of these questions are not that unique (mother's maiden name), some are unlikely (name of the person I went to prom with), more are just unanswerable (mother's youngest sibling if she's an only child), and some sites are just plain broken (one site recently wanted the city of my birth, but wouldn't allow spaces in the response, and I guarantee that when it comes time to answer I'll forget it was all crammed together just on that site). In terms of practical security this seems like a fad with no substance. When one site did it, it was "clever", but now that they all know my mother's maiden name aren't I _LESS_ secure? It seems like these questions really just serve as second and third password prompts, except that if I answer them honestly the resulting passwords are generally something a bad actor could find out pretty easily. There is typically no "opt-out" of these "added security features" and some sites will let you see your previous answers, so if the cracker gets in there he gets bonus information about you. Aside from inventing a fake personal history for each site, what or where are my options? This _feels_ like the web site equivalent of banning hair-gel from airplanes. I know enough about information theory that I feel more exposed under my new Friendly Security Questions overlords. Anybody see any practical solution aside from going all Luddite?"

IBitOBear IBitOBear writes  |  more than 8 years ago

IBitOBear writes "A couple days ago I did "the interview loop" at that leading online retailer. Over the course of six hours I was repeatedly introduced to a guy in his early twenties, who would then ask me to write out code on a white-board for a problem that you might find in the study guide for a 200-level computer science class. I have 20 years of experience in programming and systems design. And in several cases the interviewers were vague, semantically incorrect, or self-contradictory. Interviewer blunders included not understanding that non-normal forms in databases can be more correct or efficient when the domain of a data is extremely limited; or choosing a leader amongst N candidates is a byzantine agreement problem. In short, the loop would have been perfect to weed out some guy getting his first job fresh out of school, but it definitely exerted selection pressure towards excluding experienced candidates. So employers, what are you doing to make sure that you are not culling out candidates with the low-ball? And job seekers, what do you do when you find yourself trapped in a sophomore study group?"



TCP Shaper Script

IBitOBear IBitOBear writes  |  more than 6 years ago #!/bin/bash
# Provides:          shaper
# Required-Start:    firewall
# Required-Stop:     firewall
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: Shape traffic on interfaces.

# init script written by shane at knowplace dot org
# this script only creates the qdiscs and classes required for shaping, it
# does NOT create the necessary filters

# modified by Rob White rwhite at pobox dot com
#   mostly to take the link speed as an argument

declare -i INTERFACE_SPEED=768
declare -i BURST=1200
declare -i CBURST=1500

rc_done="  done"
rc_failed="  failed"

declare -i  CEILING=$((INTERFACE_SPEED * 98 / 100))
declare -i  COUNTER
declare -ai WEIGHT=(2 2 2 2 2)
declare -i  SLOTS=${#WEIGHT[@]}
declare -i  AGGREGATE=0
declare -ai SHARE
declare -i  USED=0


declare -i BURST_CEILING=$((CEILING * 100 / 100))



tc_reset ()
        # Reset everything to a known state (cleared)
        $TC qdisc del dev $INTERFACE root 2> /dev/null > /dev/null

tc_status ()
    echo "[qdisc - $INTERFACE]"
    $TC -s qdisc show dev $INTERFACE
    echo "------------------------"
    echo "[class - $INTERFACE]"
    $TC -s class show dev $INTERFACE

tc_showfilter ()
    echo "[filter - $INTERFACE]"
    $TC -s filter show dev $INTERFACE

case "$1" in

        echo -n "Starting traffic shaping"
        U320="$TC filter add dev $INTERFACE protocol ip parent 1:0 prio 0 u32"
        # dev eth0 - creating qdiscs & classes
        $TC qdisc add dev $INTERFACE root handle 1: htb default $((${#SHARE[@]}+1))0
        $TC class \
            add dev $INTERFACE \
            parent 1: classid 1:1 \
            htb rate ${CEILING}kbps \
                ceil ${BURST_CEILING}kbps \
                ${BURST:+burst ${BURST}b} \
                ${CBURST:+cburst ${CBURST}b}
        for ((COUNTER=0; COUNTER < (${SLOTS} + 1); ++COUNTER)) do
           $TC class \
               add dev $INTERFACE \
               parent 1:1 classid 1:$HANDLE \
               htb rate ${SHARE[$COUNTER]}kbps \
                   ceil ${BURST_CEILING}kbps \
                   ${BURST:+burst ${BURST}b} \
                   ${CBURST:+cburst ${CBURST}b} \
                   prio $COUNTER
           $TC qdisc \
               add dev $INTERFACE \
               parent 1:$HANDLE \
               handle $HANDLE: \
               sfq perturb 6

        echo -n "Stopping traffic shaper"
        tc_reset || return=$rc_failed
        echo -e "$return"

        $0 stop && $0 start || return=$rc_failed



        echo "Usage: $0 {start|stop|restart|stats|filter}"
        exit 1

test "$return" = "$rc_done" || exit 1


Firewall Script

IBitOBear IBitOBear writes  |  more than 6 years ago #!/bin/bash -e
# Provides:          firewall
# Required-Start:    networking
# Required-Stop:     networking
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: Secures interfaces.

# IPTABLES Firewall v 0.86
# by shadow999@firemail.de
# Small parts from http://members.optusnet.com.au/~technion/
# and some tutorials
# This script is intended to setup a masquerading firewall based on
# the IPTABLES (Net)filter-machanism of Linux 2.3.15+
# Syslogging matches fireparse for graphical output (see http://www.fireparse.com)
# Normally this script will work 'out-of-the-box', but you should adapt it to
# your own needs (At least you should set the correct default interfaces
# --> see Default-Interfaces section)
# Comments, suggestions, etc. are welcome
# Usage on your own risk ;)
# Syntax to invoke script: firewall (start|stop|restart|status) EXTIF INTIF
# Example: "firewall start eth1 eth0"
# Version History:
# 0.86: Added a few comments
# 0.85: Various re-arrangements
#       Added TCP-SYN-flood protection
#       Added separate logging of pingfloods
#       Added automatic detection of parameters on internal interface
#       Made flooding-parameters variable
# 0.84: Added special ICMP-Filtering
# 0.83: Added ICMP-logging-chain
#       Some minor changes
# 0.82: Reorganized parts of the script
#       Added special user-chains
# 0.80: Altered logging strings to match fireparse
# 0.78: Added many comments
#       Completed flushing of tables (missing -X)
# 0.75: Added automatic detection of IP-address, gateway, etc of external interface
# 0.7: Added new logging-chains
# 0.65: Added special sanity checks for TCP-Flags
#       Silently filter out SMB-traffic
#       Removed unclean-checks (according to some docs still unstable)
# 0.6: Major redesign of whole script, divided into chain-sections
# 0.5: Adopted parts of firewall-script from http://members.optusnet.com.au/~technion/
#      Minor changes

# This is the location of the iptables command

case "$1" in
      echo "Shutting down firewall..."
      $IPTABLES -F
      $IPTABLES -F -t mangle
      $IPTABLES -F -t nat
      $IPTABLES -X
      $IPTABLES -X -t mangle
      $IPTABLES -X -t nat

      echo "...done"
      echo $"Table: filter"
      $IPTABLES --list
      echo $"Table: nat"
      $IPTABLES -t nat --list
      echo $"Table: mangle"
      $IPTABLES -t mangle --list
      $0 stop
      $0 start
    echo "Starting Firewall..."
    echo ""

##--------------------------Begin Firewall---------------------------------##


## Default external interface (used, if EXTIF isn't specified on command line)

## Default internal interface (used, if INTIF isn't specified on command line)

#----Special Variables-----#

# IP Mask for all IP addresses

# Specification of the high unprivileged IP ports.

# Specification of X Window System (TCP) ports.

# Ports for IRC-Connection-Tracking

#-----Port-Forwarding Variables-----#

#For port-forwarding to an internal host, define a variable with the appropriate
#internal IP-Address here and take a look at the port-forwarding sections in the FORWARD +

#These are examples, uncomment to activate

#IP for forwarded Battlecom-traffic

#Bittorrent Computer



#Blizzard Downloader

#IP for forwarded HTTP-traffic

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
# Burst Limit for TCP-SYN-Flood detection

# Overall Limit for Loggging in Logging-Chains
# Burst Limit for Logging in Logging-Chains

# Overall Limit for Ping-Flood-Detection
# Burst Limit for Ping-Flood-Detection

#----Automatically determine infos about involved interfaces-----#

### External Interface:

## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
echo External Interface: $EXTIF

## Determine external IP
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$EXTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $EXTIF !"
     exit 1
echo External IP: $EXTIP

## Determine external gateway
EXTGW=`route -n | grep '' | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW

echo " --- "

### Internal Interface:

## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
echo Internal Interface: $INTIF

## Determine internal IP
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$INTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $INTIF !"
     exit 1
echo Internal IP: $INTIP

## Determine internal netmask
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK

## Determine network address of the internal network
echo Internal LAN: $INTLAN

echo ""

#----Load IPTABLES-modules-----#

#Insert modules- should be done automatically if needed

#If the IRC-modules are available, uncomment them below

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "

#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP

#----Set network sysctl options-----#

echo "Setting sysctl options"

#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/${EXTIF}/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 1 > /proc/sys/net/ipv4/tcp_sack
echo 1 > /proc/sys/net/ipv4/tcp_timestamps

#Ignore icmp echo (ping) broadcast events
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo " --- "

echo "Creating user-chains"

#----Create logging chains-----#

##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding
##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com)

#Invalid packets (not ESTABLISHED,RELATED or NEW)
        $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=INVALID:1 a=DROP "

#TCP-Packets with one ore more bad flags
        $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=BADFLAG:1 a=DROP "

#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
        $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SPECIALPORT:1 a=DROP "

#Logging of possible TCP-SYN-Floods
        $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=SYNFLOOD:1 a=DROP "

#Logging of possible Ping-Floods
        $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=PINGFLOOD:1 a=DROP "

#All other dropped packets
        $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=DROP "
        $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=DROP "
        $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=DROP "
        $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=DROP "

#All other rejected packets
        $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=TCP:1 a=REJECT "
        $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=UDP:2 a=REJECT "
        $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=ICMP:3 a=REJECT "
        $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level info --log-prefix "fp=FRAGMENT:4 a=REJECT "
        $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
        $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable

#----Create Accept-Chains-----#

#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

        $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
        $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
        $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG


        #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

                $IPTABLES -N SMB

                $IPTABLES -A SMB -p tcp --dport 137 -j DROP
                $IPTABLES -A SMB -p tcp --dport 138 -j DROP
                $IPTABLES -A SMB -p tcp --dport 139 -j DROP
                $IPTABLES -A SMB -p tcp --dport 445 -j DROP
                $IPTABLES -A SMB -p udp --dport 137 -j DROP
                $IPTABLES -A SMB -p udp --dport 138 -j DROP
                $IPTABLES -A SMB -p udp --dport 139 -j DROP
                $IPTABLES -A SMB -p udp --dport 445 -j DROP

                $IPTABLES -A SMB -p tcp --sport 137 -j DROP
                $IPTABLES -A SMB -p tcp --sport 138 -j DROP
                $IPTABLES -A SMB -p tcp --sport 139 -j DROP
                $IPTABLES -A SMB -p tcp --sport 445 -j DROP
                $IPTABLES -A SMB -p udp --sport 137 -j DROP
                $IPTABLES -A SMB -p udp --sport 138 -j DROP
                $IPTABLES -A SMB -p udp --sport 139 -j DROP
                $IPTABLES -A SMB -p udp --sport 445 -j DROP

        #Inbound Special Ports


                #Deepthroat Scan
                $IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j LSPECIALPORT

                #Subseven Scan
                $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT

                #Netbus Scan
                $IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT

                #Back Orifice scan
                $IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT

                $IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS  -j LSPECIALPORT

                #Hack'a'Tack 2000
                $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT


        #Inbound ICMP/Traceroute

                $IPTABLES -N ICMPINBOUND

                #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

                #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP

                #Allow all other ICMP in
                $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT

        #Outbound ICMP/Traceroute


                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP

                #Block ICMP-TTL-Expired
                #MS Traceroute (MS uses ICMP instead of UDp for tracert)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP

                #Block ICMP-Parameter-Problem
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP

                #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP

                ##Accept all other ICMP going out
                $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT

# Throttle SSH connections by host
#    to prevent brute force attacks
    $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --seconds $(( 3600 * 18)) --update -j DROP
    $IPTABLES --append SSHTHROTTLE --match limit --limit 3/hour -j RETURN
    $IPTABLES --append SSHTHROTTLE --match recent --name ssh_throttle --set -j DROP

#----End User-Chains-----#

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."

## INPUT-Chain ## (everything that is addressed to the firewall itself)

##GENERAL Filtering

  # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)

  # Check TCP-Packets for Bad Flags


  #Local IF
  #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)


##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it


  #Allow Local DHCP Service Nonsense
  $IPTABLES -I INPUT -i ! $EXTIF -p udp -s -d --sport 68 --dport 67 -j ACCEPT

  #Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter)


## DHCP Server on ISP's Site
  $IPTABLES -I INPUT -i $EXTIF -p udp -s -d --sport 67 --dport 68 -j ACCEPT
  if [ -f /var/lib/dhcp3/dhclient.${EXTIF}.leases ]; then
        DHCPSID=$(grep dhcp-server-identifier /var/lib/dhcp3/dhclient.${EXTIF}.leases | tail --lines=1 | sed --expression='s;.* \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*;\1;')
        echo $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT
        $IPTABLES -I INPUT -i $EXTIF -p udp --sport 67 --dport 68 --source "$DHCPSID" -j ACCEPT

##ICMP & Traceroute filtering

  #Filter ICMP

  #Block UDP-Traceroute
  $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP

##Silent Drops/Rejects (Things we don't want in our logs)

  #Drop all SMB-Traffic

  #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset

##Public services running ON FIREWALL-BOX (comment out to activate):

  # ftp-data
  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 20 -j TCPACCEPT

  # ftp
  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 21 -j TCPACCEPT

  # ssh
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --syn -j SSHTHROTTLE
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 --match state --state NEW -j TCPACCEPT

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT

  # smtp
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT

  # DNS
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT

  # http
  # $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT

  # https
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT

  # POP-3
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT

##Separate logging of special portscans/connection attempts


##Allow ESTABLISHED/RELATED connections in

  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT

##Catch all rule

## Output-Chain ## (everything that comes directly from the Firewall-Box)


  #Local IF


  #Allow unlimited traffic to internal network using legit addresses


  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport ntp --dport ntp -j ACCEPT

##ICMP & Traceroute


##Silent Drops/Rejects (Things we don't want in our logs)


  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset

##Public services running ON FIREWALL-BOX (comment out to activate):

  # ftp-data
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 20 -j ACCEPT

  # ftp
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 21 -j ACCEPT

  # ssh
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 8193 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT

  # smtp
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

  # DNS
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT

  # http
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

  # https
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

  # POP-3
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

  # DHCP Server on ISP's Site
  $IPTABLES -A OUTPUT -o $EXTIF -p udp  --sport 68 --dport 67 --source --destination -j ACCEPT
  if [ -f /etc/dhcpc/dhcpcd-${EXTIF}.info ]; then
        DHCPSID=$(grep DHCPSID /etc/dhcpc/dhcpcd-${EXTIF}.info | awk -F= '{print $2}')
        $IPTABLES -A OUTPUT -o $EXTIF -p udp  --sport 68 --dport 67 --destination $DHCPSID -j ACCEPT

  # DHCP Server inside Firewall Box
        $IPTABLES -A OUTPUT -o ! $EXTIF -p udp  --sport 67 --dport 68 -j ACCEPT

##Accept all tcp/udp traffic on unprivileged ports going out


##Catch all rule


## FORWARD-Chain  ## (everything that passes the firewall)

##GENERAL Filtering

  # optimal forwarding rates
  $IPTABLES -A FORWARD -i ! $EXTIF -o $EXTIF -m state --state NEW -j ACCEPT

  #Kill invalid packets (not ESTABLISHED, RELATED or NEW)

  # Check TCP-Packets for Bad Flags

  # Bad Broadcasting

  # Spoofing

  ##Silent Drops/Rejects (Things we don't want in our logs)

   $IPTABLES -A FORWARD -p tcp -m multiport --destination-ports 137,138,139,445 -j DROP
   $IPTABLES -A FORWARD -p udp -m multiport --destination-ports 137,138,139,445 -j DROP


  ##Special Drops/Rejects
   # - To be done -

  ##Filter for some Trojans communicating to outside
   # - To be done -

  ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

   #$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 80 -j ACCEPT

  ##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net

  ##Allow non-external nets to talk to each other, q.v. wireless to wired "internal" networks
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports ssh,sunrpc,snmp,snmptrap,631,940,943,946,949 -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p tcp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i ! $EXTIF -o ! $EXTIF -s $INTLAN -p udp -m multiport --destination-ports $UNPRIVPORTS -j ACCEPT


  ##Silent Drops/Rejects (Things we don't want in our logs)

   #SMB Handled Above

  ##Allow replies coming in
  $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT

##Port-Forwarding [inbound] (--> Also see chain PREROUTING)

  $IPTABLES -A FORWARD -i $EXTIF -p tcp -d $HTTPIP --dport 80 -j ACCEPT

  #$IPTABLES -A FORWARD -p tcp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT
  #$IPTABLES -A FORWARD -p udp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j ACCEPT
  #$IPTABLES -A FORWARD -p tcp --dport 47624 -i $EXTIF -d $BATTLECOMIP -j ACCEPT



  $IPTABLES -A FORWARD -p tcp --match multiport --destination-ports $BLIZZARD_PORTS -i $EXTIF -d $BLIZZARD_DEST -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -d $BLIZZARD_DEST -p tcp --match multiport --destination-ports $BLIZZARD_PORTS --match state --state NEW -j ACCEPT

##Catch all rule/Deny every other forwarding



##Port-Forwarding (--> Also see chain FORWARD)

   $IPTABLES -A PREROUTING -t nat -i ! $EXTIF -p udp --destination-port ntp -j REDIRECT

  $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp -d $EXTIP --dport 80 -j DNAT --to $HTTPIP

  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP
  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port 2300:2400 -i $EXTIF -j DNAT --to $BATTLECOMIP
  #$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 47624 -i $EXTIF -j DNAT --to $BATTLECOMIP:47624

  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT
  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $BITTPORT -i $EXTIF -j DNAT --to $BITTORRENT:$BITTPORT


  $IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port $VONAGEPORTS -i $EXTIF -j DNAT --to $VONAGEIP

  $IPTABLES -t nat -A PREROUTING --destination   $EXTIP --in-interface   $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST SYN --match multiport --destination-ports $BLIZZARD_PORTS -j DNAT --to $BLIZZARD_DEST


  #Masquerade from Internal Net to External Net
  $IPTABLES -A POSTROUTING -t nat --out-interface $EXTIF -j SNAT --to-source $EXTIP

  # Initial Shape Classifier
  # gIive "overhead" packets highest priority
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -j CLASSIFY --set-class 1:60
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:68 -m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10
  #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10
  #$IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --tcp-flags ALL FIN -j CLASSIFY --set-class 1:10
  # interactive SSH traffic and UDP gaming
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:20
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF --source $VONAGEIP -p udp -j RETURN
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p udp -j CLASSIFY --set-class 1:30
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20
  # interactive mail or web traffic
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --dport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp -m multiport --sport http,pop2,pop3,imap,https,imaps -j CLASSIFY --set-class 1:30
  # dns lookups
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport domain -j CLASSIFY --set-class 1:30
  # ICMP
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p icmp -m length --length 28:1500 -m limit --limit 2/s --limit-burst 5 -j CLASSIFY --set-class 1:40
  # bulk traffic
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport ssh -m length --length 101: -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport ssh -m length --length 101: -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --sport 25 -j CLASSIFY --set-class 1:50
  $IPTABLES -t mangle -A POSTROUTING -o $EXTIF -p tcp --dport 6667 -j CLASSIFY --set-class 1:50

ip6tables -P FORWARD DROP

#------End Ruleset------#

echo "...done"
echo ""

echo "--> IPTABLES firewall loaded/activated <--"

##--------------------------------End Firewall---------------------------------##

      echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
      exit 1

exit 0

Slashdot Login

Need an Account?

Forgot your password?